In the wake of numerous recent data breaches, cybersecurity has become a very high priority for the Department of Defense (DoD). All construction firms that have contracts with the DoD must now comply with the DFARS Cybersecurity mandate. Let’s take a look at everything you need to know if you want to keep existing construction contracts or win new ones with the DoD.

What is DFARS?

DFARS stands for Defense Federal Acquisition Regulation Supplement. It is a set of cybersecurity regulations that the DoD introduced in 2015 to regulate the cybersecurity practices of its external contractors and suppliers.

It is extremely important for all DoD construction contractors to achieve DFARS compliance. Failure to comply can result in your company losing contracts with the DoD. You could even end up on a blacklist that prevents you from working with the DoD again in the future.

On the other hand, taking DFARS compliance seriously can be very good for your construction business. The regulations set out steps you can take to reduce the risk of your company experiencing a cyber attack or data breach. If you take action now to ensure your company is DFARS compliant, it is much less likely that you will have to deal with the inconvenience, costs, and loss of reputation associated with a cybersecurity incident.

How Can Construction Contractors Comply With DFARS?

As a construction contractor, you might feel overwhelmed at the idea of having to understand, interpret, and implement complex cybersecurity regulations. Even with the help of the Self Assessment Handbook provided by NIST, working out what you need to change in your current security processes and procedures to achieve DFARS compliance can be tricky and take up a lot of time for your in-house IT team.

The good news is that you do not have to do all the work to achieve DFARS compliance in house. For many construction contractors, an easier and more practical option is to work with a Managed IT Services Provider or Managed Security Service Provider (MSSP).

A Managed IT Services Provider that specializes in DFARS consulting can carry out a gap analysis to determine your company’s current cybersecurity situation. They can then recommend changes you need to make to achieve DFARS compliance. IT Risk Management and Compliance specialists can also help you to implement tools that can monitor your networks to identify potential security breaches as soon as they occur.

If you choose to work with a Managed IT Services Provider over the long term, your provider can carry out monitoring on your networks 24/7 and respond to security incidents right away. The result is isolating the threat and limiting the damage that it can do to your networks and any sensitive data they hold.

Remember that it is ultimately your responsibility to ensure that your company is in compliance with DFARS, even if you have chosen to outsource the work to a Managed IT Services Provider. Therefore, it is extremely important to work with an IT Services Company with the right skills and experience. Select an IT company that has a strong track record of working with construction companies like yours to help them achieve DFARS compliance. Read reviews and testimonials to ensure you choose an IT support company you can trust.

How Can Construction Contractors Prove DFARS Compliance?

The DoD requires all construction contractors to prove that they have taken the necessary steps to become DFARS compliant. If you work with a Managed Security Services Provider, proving compliance to the DoD is easy. All you need to do is present the documentation that your IT Services Company gives you. If you decide to handle all the DFARS NIST 800-171 compliance requirements in-house, you will have to produce your own paperwork to show that your company is in compliance with the regulations.

What Are the Penalties For DFARS Non-Compliance?

Construction contractors who cannot prove their DFARS compliance can face some very heavy penalties issued by the DoD. If the DoD audits your company and discovers that it is not in compliance with DFARS NIST 800-171, it is likely to issue a stop-work order.

A stop-work order means that your contract with the DoD is suspended until you can prove that you have implemented appropriate security measures. You could also face a fine or be sued for damages for breach of contract or making false claims.

The worst case scenario for a non-compliant DoD construction contractor is to face permanent debarment. This means that your company can never again work with the Department of Defence. As you know, this could have devastating consequences for your ability to find work within the industry, so it is something you need to take steps to avoid.

Take Action Now to Ensure DFARS Compliance

With new security threats emerging all the time, large general contractors and construction firms cannot afford to ignore the issue of DFARS compliance any longer. If you do not already have a trusted Managed IT Services Provider who specializes in IT Services for General Contractors, helping your company to be in compliance with the regulations, it is time to reach out to one today.


Get a CMMC/DFARS Consultation How to Prepare for a CMMC Audit